Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2013-4286
HistoryFeb 26, 2014 - 2:55 p.m.

CVE-2013-4286

2014-02-2614:55:08
CWE-20
[email protected]
web.nvd.nist.gov
654
4
apache tomcat
http connector
ajp connector
request smuggling
cve-2013-4286
nvd
security advisory

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

9.3 High

AI Score

Confidence

High

0.972 High

EPSS

Percentile

99.8%

JSON

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request’s length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a “Transfer-Encoding: chunked” header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

Affected configurations

NVD
Node
apachetomcatMatch7.0.0
OR
apachetomcatMatch7.0.0beta
OR
apachetomcatMatch7.0.1
OR
apachetomcatMatch7.0.2
OR
apachetomcatMatch7.0.2beta
OR
apachetomcatMatch7.0.3
OR
apachetomcatMatch7.0.4
OR
apachetomcatMatch7.0.4beta
OR
apachetomcatMatch7.0.10
OR
apachetomcatMatch7.0.11
OR
apachetomcatMatch7.0.12
OR
apachetomcatMatch7.0.13
OR
apachetomcatMatch7.0.14
OR
apachetomcatMatch7.0.15
OR
apachetomcatMatch7.0.16
OR
apachetomcatMatch7.0.17
OR
apachetomcatMatch7.0.18
OR
apachetomcatMatch7.0.19
OR
apachetomcatMatch7.0.20
OR
apachetomcatMatch7.0.21
OR
apachetomcatMatch7.0.22
OR
apachetomcatMatch7.0.23
OR
apachetomcatMatch7.0.24
OR
apachetomcatMatch7.0.25
OR
apachetomcatMatch7.0.26
OR
apachetomcatMatch7.0.27
OR
apachetomcatMatch7.0.28
OR
apachetomcatMatch7.0.29
OR
apachetomcatMatch7.0.30
OR
apachetomcatMatch7.0.31
OR
apachetomcatMatch7.0.32
OR
apachetomcatMatch7.0.33
OR
apachetomcatMatch7.0.34
OR
apachetomcatMatch7.0.35
OR
apachetomcatMatch7.0.36
OR
apachetomcatMatch7.0.37
OR
apachetomcatMatch7.0.38
OR
apachetomcatMatch7.0.39
OR
apachetomcatMatch7.0.40
OR
apachetomcatMatch7.0.41
OR
apachetomcatMatch7.0.42
OR
apachetomcatMatch7.0.43
OR
apachetomcatMatch7.0.44
OR
apachetomcatMatch7.0.45
OR
apachetomcatMatch7.0.46
Node
apachetomcatMatch8.0.0rc1
OR
apachetomcatMatch8.0.0rc2
Node
apachetomcatRange6.0.37
OR
apachetomcatMatch1.1.3
OR
apachetomcatMatch3.0
OR
apachetomcatMatch3.1
OR
apachetomcatMatch3.1.1
OR
apachetomcatMatch3.2
OR
apachetomcatMatch3.2.1
OR
apachetomcatMatch3.2.2
OR
apachetomcatMatch3.2.2beta2
OR
apachetomcatMatch3.2.3
OR
apachetomcatMatch3.2.4
OR
apachetomcatMatch3.3
OR
apachetomcatMatch3.3.1
OR
apachetomcatMatch3.3.1a
OR
apachetomcatMatch3.3.2
OR
apachetomcatMatch4
OR
apachetomcatMatch4.0.0
OR
apachetomcatMatch4.0.1
OR
apachetomcatMatch4.0.2
OR
apachetomcatMatch4.0.3
OR
apachetomcatMatch4.0.4
OR
apachetomcatMatch4.0.5
OR
apachetomcatMatch4.0.6
OR
apachetomcatMatch4.1.0
OR
apachetomcatMatch4.1.1
OR
apachetomcatMatch4.1.2
OR
apachetomcatMatch4.1.3
OR
apachetomcatMatch4.1.3beta
OR
apachetomcatMatch4.1.9beta
OR
apachetomcatMatch4.1.10
OR
apachetomcatMatch4.1.12
OR
apachetomcatMatch4.1.15
OR
apachetomcatMatch4.1.24
OR
apachetomcatMatch4.1.28
OR
apachetomcatMatch4.1.29
OR
apachetomcatMatch4.1.31
OR
apachetomcatMatch4.1.36
OR
apachetomcatMatch5
OR
apachetomcatMatch5.0.0
OR
apachetomcatMatch5.0.1
OR
apachetomcatMatch5.0.2
OR
apachetomcatMatch5.0.3
OR
apachetomcatMatch5.0.4
OR
apachetomcatMatch5.0.5
OR
apachetomcatMatch5.0.6
OR
apachetomcatMatch5.0.7
OR
apachetomcatMatch5.0.8
OR
apachetomcatMatch5.0.9
OR
apachetomcatMatch5.0.10
OR
apachetomcatMatch5.0.11
OR
apachetomcatMatch5.0.12
OR
apachetomcatMatch5.0.13
OR
apachetomcatMatch5.0.14
OR
apachetomcatMatch5.0.15
OR
apachetomcatMatch5.0.16
OR
apachetomcatMatch5.0.17
OR
apachetomcatMatch5.0.18
OR
apachetomcatMatch5.0.19
OR
apachetomcatMatch5.0.21
OR
apachetomcatMatch5.0.22
OR
apachetomcatMatch5.0.23
OR
apachetomcatMatch5.0.24
OR
apachetomcatMatch5.0.25
OR
apachetomcatMatch5.0.26
OR
apachetomcatMatch5.0.27
OR
apachetomcatMatch5.0.28
OR
apachetomcatMatch5.0.29
OR
apachetomcatMatch5.0.30
OR
apachetomcatMatch5.5.0
OR
apachetomcatMatch5.5.1
OR
apachetomcatMatch5.5.2
OR
apachetomcatMatch5.5.3
OR
apachetomcatMatch5.5.4
OR
apachetomcatMatch5.5.5
OR
apachetomcatMatch5.5.6
OR
apachetomcatMatch5.5.7
OR
apachetomcatMatch5.5.8
OR
apachetomcatMatch5.5.9
OR
apachetomcatMatch5.5.10
OR
apachetomcatMatch5.5.11
OR
apachetomcatMatch5.5.12
OR
apachetomcatMatch5.5.13
OR
apachetomcatMatch5.5.14
OR
apachetomcatMatch5.5.15
OR
apachetomcatMatch5.5.16
OR
apachetomcatMatch5.5.17
OR
apachetomcatMatch5.5.18
OR
apachetomcatMatch5.5.19
OR
apachetomcatMatch5.5.20
OR
apachetomcatMatch5.5.21
OR
apachetomcatMatch5.5.22
OR
apachetomcatMatch5.5.23
OR
apachetomcatMatch5.5.24
OR
apachetomcatMatch5.5.25
OR
apachetomcatMatch5.5.26
OR
apachetomcatMatch5.5.27
OR
apachetomcatMatch5.5.28
OR
apachetomcatMatch5.5.29
OR
apachetomcatMatch5.5.30
OR
apachetomcatMatch5.5.31
OR
apachetomcatMatch5.5.32
OR
apachetomcatMatch5.5.33
OR
apachetomcatMatch5.5.34
OR
apachetomcatMatch5.5.35
OR
apachetomcatMatch6
OR
apachetomcatMatch6.0
OR
apachetomcatMatch6.0.0
OR
apachetomcatMatch6.0.0alpha
OR
apachetomcatMatch6.0.1
OR
apachetomcatMatch6.0.1alpha
OR
apachetomcatMatch6.0.2
OR
apachetomcatMatch6.0.2alpha
OR
apachetomcatMatch6.0.2beta
OR
apachetomcatMatch6.0.3
OR
apachetomcatMatch6.0.10
OR
apachetomcatMatch6.0.11
OR
apachetomcatMatch6.0.12
OR
apachetomcatMatch6.0.13
OR
apachetomcatMatch6.0.14
OR
apachetomcatMatch6.0.15
OR
apachetomcatMatch6.0.16
OR
apachetomcatMatch6.0.17
OR
apachetomcatMatch6.0.18
OR
apachetomcatMatch6.0.19
OR
apachetomcatMatch6.0.20
OR
apachetomcatMatch6.0.24
OR
apachetomcatMatch6.0.26
OR
apachetomcatMatch6.0.27
OR
apachetomcatMatch6.0.28
OR
apachetomcatMatch6.0.29
OR
apachetomcatMatch6.0.30
OR
apachetomcatMatch6.0.31
OR
apachetomcatMatch6.0.32
OR
apachetomcatMatch6.0.33
OR
apachetomcatMatch6.0.35
OR
apachetomcatMatch6.0.36

References

Social References

More

Related

osv 5
nvd 3
veracode 3
securityvulns 6
seebug 3
ubuntucve 1
tomcat 6
cvelist 2
debiancve 1
github 2
prion 2
redhat 21
ibm 17
openvas 31
cve 2
nessus 43
mageia 2
fedora 3
oraclelinux 4
amazon 1
ubuntu 1
centos 2
f5 2
cert 1
debian 3
freebsd 1
vmware 2
gentoo 1
oracle 5
osv
osv
Apache Tomcat is vulnerable to HTTP request-smuggling
2022-05-14 01:10:36
Tomcat Vulnerable to Web Cache Poisoning
2022-05-01 02:04:54
tomcat6 - security update
2014-11-23 00:00:00
nvd
nvd
CVE-2013-4286
2014-02-26 14:55:08
CVE-2014-4286
2014-06-18 21:55:03
CVE-2005-2090
2005-07-05 04:00:00
veracode
veracode
Request-smuggling Attacks
2019-01-15 08:59:20
Authorization Bypass
2019-05-02 05:02:08
HTTP Request Smuggling
2018-11-13 06:55:19
securityvulns
securityvulns
[SECURITY] CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)
2014-02-28 00:00:00
Apache Tomcat multiple security vulnerabilities
2014-03-31 00:00:00
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
2009-01-28 00:00:00
seebug
seebug
Apache Tomcat 安全限制绕过漏洞
2014-02-26 00:00:00
Apache Tomcat不完整修复信息泄漏漏洞
2014-02-27 00:00:00
Mac OS X 2007-007更新修复多个安全漏洞
2007-08-02 00:00:00
ubuntucve
ubuntucve
CVE-2013-4286
2014-02-26 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 7.0.47
2013-10-24 00:00:00
Fixed in Apache Tomcat 8.0.0-RC3
2013-09-23 00:00:00
Fixed in Apache Tomcat 6.0.39
2014-01-31 00:00:00
cvelist
cvelist
CVE-2013-4286
2014-02-26 11:00:00
CVE-2005-2090
2005-06-30 04:00:00
debiancve
debiancve
CVE-2013-4286
2014-02-26 14:55:00
github
github
Apache Tomcat is vulnerable to HTTP request-smuggling
2022-05-14 01:10:36
Tomcat Vulnerable to Web Cache Poisoning
2022-05-01 02:04:54
prion
prion
Design/Logic Flaw
2014-02-26 14:55:00
Design/Logic Flaw
2014-06-18 21:55:00
redhat
redhat
(RHSA-2014:0458) Moderate: Red Hat JBoss Data Virtualization 6.0.0 security update
2014-04-30 18:58:00
(RHSA-2014:0374) Important: Red Hat JBoss Data Grid 6.2.1 update
2014-04-03 21:51:02
(RHSA-2014:0511) Important: Red Hat JBoss Operations Network 3.2.1 security update
2014-05-15 17:17:17
ibm
ibm
Security Bulletin: Open Source Apache Tomcat - 4 issues (CVE-2013-4286) for RAF
2018-06-17 04:55:52
Security Bulletin: Rational Build Forge Security Advisory (CVE-2013-4286)
2018-06-17 04:53:14
Security Bulletin: Security vulnerabilities in Apache Tomcat for WebSphere Application Server Community Edition 2.1.1.6 and 3.0.0.4(CVE-2013-4286,CVE-2012-3544,CVE-2013-4322,CVE-2013-4590,CVE-2014-0033)
2018-06-15 07:01:06
openvas
openvas
Apache Tomcat Multiple Vulnerabilities - 01 (Mar 2014)
2014-03-25 00:00:00
Mageia: Security Advisory (MGASA-2014-0148)
2022-01-28 00:00:00
Mageia: Security Advisory (MGASA-2014-0149)
2022-01-28 00:00:00
cve
cve
CVE-2014-4286
2014-06-18 21:55:03
CVE-2005-2090
2005-07-05 04:00:00
nessus
nessus
RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.2.2 update (Moderate) (RHSA-2014:0343)
2014-04-01 00:00:00
RHEL 6 : JBoss EAP (RHSA-2014:0344)
2014-04-01 00:00:00
Oracle Solaris Third-Party Patch Update : tomcat (multiple_vulnerabilities_in_apache_tomcat4)
2015-01-19 00:00:00
mageia
mageia
Updated tomcat package fixes security vulnerabilities
2014-04-03 04:16:05
Updated tomcat package fixes security vulnerabilities
2014-04-03 04:16:05
fedora
fedora
[SECURITY] Fedora 20 Update: tomcat-7.0.52-1.fc20
2014-09-26 09:02:42
[SECURITY] Fedora 19 Update: Pound-2.6-8.fc19
2014-11-07 02:38:03
[SECURITY] Fedora 20 Update: Pound-2.6-8.fc20
2014-11-12 02:45:18
oraclelinux
oraclelinux
tomcat6 security update
2014-04-23 00:00:00
tomcat security update
2014-07-20 00:00:00
Important: tomcat security update
2007-06-26 00:00:00
amazon
amazon
Medium: tomcat6
2014-05-21 10:45:00
ubuntu
ubuntu
Tomcat vulnerabilities
2014-03-06 00:00:00
centos
centos
tomcat6 security update
2014-04-23 19:07:14
jakarta, tomcat5 security update
2007-05-14 22:49:09
f5
f5
SOL16828 - Apache Tomcat vulnerability CVE-2005-2090
2015-07-02 00:00:00
K16828 : Apache Tomcat vulnerability CVE-2005-2090
2015-07-02 00:00:00
cert
cert
Single crafted HTTP request may result in multiple responses
2005-02-04 00:00:00
debian
debian
[SECURITY] [DSA 2897-1] tomcat7 security update
2014-04-08 18:25:14
[SECURITY] [DLA 91-1] tomcat6 security update
2014-11-23 09:02:25
[SECURITY] [DSA 3530-1] tomcat6 security update
2016-03-25 18:47:56
freebsd
freebsd
tomcat -- multiple vulnerabilities
2007-04-27 00:00:00
vmware
vmware
Updated Tomcat and Java JRE packages for VirtualCenter 2.5, VirtualCenter 2.0.2, ESX 3.5, ESX 3.0.2, and ESX 3.0.1.
2008-01-07 00:00:00
Updated Tomcat and Java JRE packages for VirtualCenter 2.5, VirtualCenter 2.0.2, ESX 3.5, ESX 3.0.2, and ESX 3.0.1.
2008-01-07 00:00:00
gentoo
gentoo
Apache Tomcat: Multiple vulnerabilities
2014-12-15 00:00:00
oracle
oracle
Oracle Critical Patch Update - April 2015
2015-04-14 00:00:00
Oracle Critical Patch Update - July 2014
2014-07-15 00:00:00
Oracle Critical Patch Update - October 2014
2014-10-14 00:00:00

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

9.3 High

AI Score

Confidence

High

0.972 High

EPSS

Percentile

99.8%

JSON
Related for CVE-2013-4286
osv5nvd3veracode3securityvulns6seebug3ubuntucve1tomcat6cvelist2debiancve1github2prion2redhat21ibm17openvas31cve2nessus43mageia2fedora3oraclelinux4amazon1ubuntu1centos2f52cert1debian3freebsd1vmware2gentoo1oracle5